本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
教程:亚马逊 OpenSearch 无服务器 (CLI) 安全入门
为了安全起见,本教程将引导您完成控制台入门教程中描述的步骤,但使用Amazon CLI的是而不是 OpenSearch 服务控制台。
在本教程中,您将完成以下步骤:
-
创建 IAM 权限策略
-
将 IAM policy 附到 IAM 角色上
-
创建加密策略
-
创建网络策略
-
创建集合
-
配置数据访问策略
-
检索集合端点
-
将数据上载到您的连接
-
在您的连接中搜索数据
本教程的目标是使用相当简单的加密、网络和数据访问设置来设置单个 OpenSearch Serverless 集合。例如,我们将配置公共网络访问、用于加密的 Amazon 托管式密钥,以及向单个用户授予最低权限的简化数据访问策略。
在生产场景中,应考虑实施更强大的配置,包括 SAML 身份验证、自定义加密密钥和 VPC 访问权限。
开始使用 OpenSearch 无服务器中的安全策略
-
注意
如果您已经在使用更广泛的基于身份的策略,如
Action":"aoss:*"或Action":"*",则可以跳过此步骤。但在生产环境中,建议您遵循最低权限原则,仅分配完成任务所需的最低权限。首先,创建一个 Amazon Identity and Access Management 策略,该策略拥有执行本教程中的步骤所需的最低权限。我们将该策略命名为
TutorialPolicy:aws iam create-policy \ --policy-name TutorialPolicy \ --policy-document "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Action\": [\"aoss:ListCollections\",\"aoss:BatchGetCollection\",\"aoss:CreateCollection\",\"aoss:CreateSecurityPolicy\",\"aoss:GetSecurityPolicy\",\"aoss:ListSecurityPolicies\",\"aoss:CreateAccessPolicy\",\"aoss:GetAccessPolicy\",\"aoss:ListAccessPolicies\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}]}"示例响应
{ "Policy": { "PolicyName": "TutorialPolicy", "PolicyId": "ANPAW6WRAECKG6QJWUV7U", "Arn": "arn:aws:iam::123456789012:policy/TutorialPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2022-10-16T20:57:18+00:00", "UpdateDate": "2022-10-16T20:57:18+00:00" } } -
将
TutorialPolicy附加到 IAM 角色,该角色将在集合中索引并搜索数据。我们将该用户命名为TutorialRole:aws iam attach-role-policy \ --role-nameTutorialRole\ --policy-arn arn:aws:iam::123456789012:policy/TutorialPolicy -
在创建集合之前,您需要创建加密策略,该策略要将 Amazon 拥有的密钥分配给您会在后续步骤中创建的 books(书籍)集合。
发送以下请求,为 books(书籍)集合创建加密策略:
aws opensearchserverless create-security-policy \ --name books-policy \ --type encryption --policy "{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AWSOwnedKey\":true}"示例响应
{ "securityPolicyDetail": { "type": "encryption", "name": "books-policy", "policyVersion": "MTY2OTI0MDAwNTk5MF8x", "policy": { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AWSOwnedKey": true }, "createdDate": 1669240005990, "lastModifiedDate": 1669240005990 } } -
创建网络策略,该策略将提供针对 books(书籍)集合的公共访问权限:
aws opensearchserverless create-security-policy --name books-policy --type network \ --policy "[{\"Description\":\"Public access for books collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/books\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AllowFromPublic\":true}]"示例响应
{ "securityPolicyDetail": { "type": "network", "name": "books-policy", "policyVersion": "MTY2OTI0MDI1Njk1NV8x", "policy": [ { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "dashboard" }, { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AllowFromPublic": true, "Description": "Public access for books collection" } ], "createdDate": 1669240256955, "lastModifiedDate": 1669240256955 } } -
创建 books(书籍)集合:
aws opensearchserverless create-collection --name books --type SEARCH示例响应
{ "createCollectionDetail": { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "CREATING", "type": "SEARCH", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "kmsKeyArn": "auto", "createdDate": 1669240325037, "lastModifiedDate": 1669240325037 } } -
创建数据访问策略,该策略将提供索引和搜索 books(书籍)集合中的数据的最低权限。将主体 ARN 替换为步骤 1 中
TutorialRole的 ARN:aws opensearchserverless create-access-policy \ --name books-policy \ --type data \ --policy "[{\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index\/books\/books-index\"],\"Permission\":[\"aoss:CreateIndex\",\"aoss:DescribeIndex\",\"aoss:ReadDocument\",\"aoss:WriteDocument\",\"aoss:UpdateIndex\",\"aoss:DeleteIndex\"]}],\"Principal\":[\"arn:aws:iam::123456789012:role\/TutorialRole\"]}]"示例响应
{ "accessPolicyDetail": { "type": "data", "name": "books-policy", "policyVersion": "MTY2OTI0MDM5NDY1M18x", "policy": [ { "Rules": [ { "Resource": [ "index/books/books-index" ], "Permission": [ "aoss:CreateIndex", "aoss:DescribeIndex", "aoss:ReadDocument", "aoss:WriteDocument", "aoss:UpdateDocument", "aoss:DeleteDocument" ], "ResourceType": "index" } ], "Principal": [ "arn:aws:iam::123456789012:role/TutorialRole" ] } ], "createdDate": 1669240394653, "lastModifiedDate": 1669240394653 } }现在,
TutorialRole应该能够索引和搜索 books(书籍)集合中的文档。 -
要调用 OpenSearch API,您需要收集端点。发送以下请求以检索
collectionEndpoint参数:aws opensearchserverless batch-get-collection --names books示例响应
{ "collectionDetails": [ { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "ACTIVE", "type": "SEARCH", "description": "", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "createdDate": 1665765327107, "collectionEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com", "dashboardEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/_dashboards" } ], "collectionErrorDetails": [] }注意
在集合状态更改为
ACTIVE之前,您将无法看到集合端点。在成功创建集合之前,可能需要进行多次调用以检查状态。 -
使用 Postman
或 curl 等 HTTP 工具,将数据索引到 books(书籍)集合中。我们将创建一个名为 books-index 的索引,并添加一个文档。 使用
TutorialRole的凭证,将以下请求发送到您在上一步中检索到的集合端点。PUT https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_doc/1 { "title": "The Shining", "author": "Stephen King", "year": 1977 }示例响应
{ "_index" : "books-index", "_id" : "1", "_version" : 1, "result" : "created", "_shards" : { "total" : 0, "successful" : 0, "failed" : 0 }, "_seq_no" : 0, "_primary_term" : 0 } -
要开始搜索您的集合中的数据,请使用搜索 API
。以下查询将执行基本搜索: GET https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_search示例响应
{ "took": 405, "timed_out": false, "_shards": { "total": 6, "successful": 6, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 2, "relation": "eq" }, "max_score": 1.0, "hits": [ { "_index": "books-index:0::3xJq14MBUaOS0wL26UU9:0", "_id": "F_bt4oMBLle5pYmm5q4T", "_score": 1.0, "_source": { "title": "The Shining", "author": "Stephen King", "year": 1977 } } ] } }